Twenty-six countries agree on reform to improve cyber security certification through international public-private collaboration
(New Delhi, September 8th 2014) The governments of twenty-six nations have today ratified a revision of the Arrangement on the Recognition of Common Criteria Certificates In the field of Information Technology Security (a k a Common Criteria Recognition Arrangement – CCRA). The purpose of the revision is to raise the general security of certified information and communications technology products without increasing costs or preventing timely availability of such products from commercial companies.
To accomplish these goals, it has been agreed that international Technical Communities (iTCs) should be established. Such iTCs should promote fair competition in an international, multi-stakeholder, multi-sector environment with participation from both public and private sector. Through the collaboration in the iTCs, security functional requirements and security testing requirements for products in targeted technical areas (such as firewalls, USB storage devices, full drive encryption products etc.) will be agreed and defined in collaborative Protection Profiles (cPPs) and supporting documents in accordance with the Common Criteria for Information Technology Security Evaluation standard (ISO/IEC 15408). The ultimate goal of the reform is to facilitate reasonable, comparable, reproducible and cost-effective IT-security evaluation results for such products.
The chair of the CCRA management committee, Mr. Dag Ströman from Swedish government, notes that:
“Supported unanimously by twenty-six nations, the new CCRA represents one of the most significant and exciting reforms to improve cyber security at an international level. Within the framework of the new CCRA, stakeholders in cyber security are invited to define security functional and assurance requirements in international Technical Communities. Via open, transparent and consensus based public-private collaboration, the intricate balance between IT-security and the associated cost to achieve such security can be agreed. The intent is to achieve a higher degree of harmonization of security requirements and avoid unnecessary fragmentation. Such fragmentation is costly for the vendors, whom otherwise may have to certify products several times against similar but disparate national requirements. Another important goal is to make the development of IT-security requirements based on Common Criteria more agile and able to adapt over time to the ever changing threat landscape. The new CCRA is the result of many nations and people’s hard efforts. It has the potential to notably improve cyber security, which is absolutely essential in today’s global society.”
See the news section for the full announcement.
The Common Criteria for Information Technology Security Evaluation (CC), and the companion Common Methodology for Information Technology Security Evaluation (CEM) are the technical basis for an international agreement, the Common Criteria Recognition Arrangement (CCRA), which ensures that:
- Products can be evaluated by competent and independent licensed laboratories so as to determine the fulfilment of particular security properties, to a certain extent or assurance;
- Supporting documents, are used within the Common Criteria certification process to define how the criteria and evaluation methods are applied when certifying specific technologies;
- The certification of the security properties of an evaluated product can be issued by a number of Certificate Authorizing Schemes, with this certification being based on the result of their evaluation;
- These certificates are recognized by all the signatories of the CCRA.
The CC is the driving force for the widest available mutual recognition of secure IT products. This web portal is available to support the information on the status of the CCRA, the CC and the certification schemes, licensed laboratories, certified products and related information, news and events.